Techdirt. Stories filed under "odni"Easily digestible tech news...https://www.techdirt.com/
en-usTechdirt. Stories filed under "odni"https://ii.techdirt.com/s/t/i/td-88x31.gifhttps://www.techdirt.com/Tue, 28 Jul 2015 08:51:00 PDTDOJ To Court: Hey, We're Shutting Down Section 215, So We Can Probably Stop Arguing About The Legality Of Bulk CollectionTim Cushinghttps://www.techdirt.com/articles/20150727/23204031771/doj-to-court-hey-were-shutting-down-section-215-so-we-can-probably-stop-arguing-about-legality-bulk-collection.shtml
https://www.techdirt.com/articles/20150727/23204031771/doj-to-court-hey-were-shutting-down-section-215-so-we-can-probably-stop-arguing-about-legality-bulk-collection.shtml
Just as James Clapper's office was officially announcing the death of the bulk phone metadata program (ending November 29th, with three months of post-wind-down wind-down for data analysts), the DOJ was filing a motion in the Second Circuit Court of Appeals basically arguing that its finding that the program was illegal really doesn't matter anymore.

According to the DOJ, there really is no program -- at least if you don't count the six months the NSA has to make the move to the more targeted USA Freedom version. So this discussion about which program isn't authorized by which PATRIOT Act provision is… well, not completely moot, but like pretty much literally weeks away from moot, so why are we wasting our time here [EXASPERATED SIGH].

Plaintiffs’ claims will be moot when the bulk collection of telephony metadata under Section 215 ends on November 29, 2015, though they are not moot right now. On that date, the statutory authority for the Section 215 bulk telephony-metadata program will expire, and the data previously collected and held under that program will not be used in the future for intelligence-gathering or law-enforcement purposes. In the meantime, however, the Court should respect Congress’s decision to create an orderly transition away from the Section 215 bulk telephony-metadata program. Especially in light of Congress’s considered judgment that this program should continue for this limited period, plaintiffs are not entitled to any of the relief they request.

In support of its argument that the court should ignore its own findings and just listen to what the FISA Court said (and what legislators didn't say, but obviously intended), the government points to its own Tumblr post (certainly a historical moment in its own right) detailing the specifics of the end of Section 215.

On July 27, 2015, the Office of the Director of National Intelligence (ODNI) issued a public statement that the NSA has determined that “analytic access to that historical metadata collected under Section 215 . . . will cease on November 29, 2015,” at the end of the transition period. See Statement by ODNI on Retention of Data Collected Under Section 215 of the USA PATRIOT Act, available at http:// icontherecord.tumblr.com/post/125179645313/ statement-by-the-odni-on-retention-of-data (ODNI July 27 Statement). Thus, after that date, no further bulk collection of telephony metadata will take place under the Section 215 program, and the historical telephony metadata will not be used for intelligence or law-enforcement purposes and will not be disseminated.

To sum up: these past abuses should no longer be of concern as the data is going to be flushed (for the most part) within the next nine months. To better enable said data flush, the Second Circuit Court might want to wrap up the ACLU's suit (and hasten the end of the EFF's) so that no data is still being "preserved" past the November 2015 dump point.

To that end, the DOJ constantly reminds the Second Circuit that the FISA Court really has a handle on these sort of things and why don't we just leave it to the pros.

The FISC was right that Congress authorized the Section 215 bulk telephony-metadata program to continue during the six-month transition period. [p. 6]

As the FISC correctly noted, Congress’s decision to delay that ban for six months is a powerful indication that it intended to permit bulk collection in the interim period. [p. 9]

The FISC was thus correct when it observed that “after lengthy public debate, and with crystal clear knowledge of the fact of ongoing bulk collection of call detail records” Congress “chose to allow a 180-day transitional period . . . .” June 29 FISC Op. at 11. This Court need not and should not determine whether Congress “ ‘ratif[ied] the FISA Court’s interpretation of ’ ” Section 215. [p. 11]

This filing, like its Tumblr statement announcing the official end of the collection, emphasizes the single aspect of the Section 215 bulk collections that has been the focus of this litigation and most legislative efforts: phone metadata. The authorization, even in its altered, post-USA Freedom Act form -- provides for much more than just this one type of collection. The DOJ goes so far as to call the USA Freedom Act a "ban" on bulk, untargeted collections, when it actually doesn't go quite that far.

I believe both ACLU and EFF’s phone dragnet client Counsel on American Islamic Relations, had not only standing as clients of dragnetted companies, but probably got swept up in the two-degree dragnet. But CAIR probably has an even stronger case, because it is public that FISC approved a traditional FISA order against CAIR founder Nihad Awad. Any traditional FISA target has always been approved as a RAS seed to check the dragnet, and NSA almost certainly used that more back when Awad was tapped, which continued until 2008. In other words, CAIR has very good reason to suspect the entire organization has been swept up in the dragnet and subjected to all of NSA’s other analytical toys.

EFF, remember, is the one NGO that has a preservation order, which got extended from its earlier NSA lawsuits (like Jewel) to the current dragnet suit. So when I Con the Record says it can’t destroy all the data yet, it’s talking EFF, and by extension, CAIR. So this announcement — in addition to preparing whatever they’ll file to get the Second Circuit off its back — is likely an effort to moot that lawsuit, which in my opinion poses by far the biggest threat of real fireworks about the dragnet (not least because it would easily be shown to violate a prior SCOTUS decision prohibiting the mapping of organizations).

This announcement by Clapper's office, followed shortly thereafter on the same day by the filing of its response in the Second Circuit case, certainly gives the appearance that the NSA has lifted the corner of the rug and is just waiting for the signal to start sweeping any undiscovered abuses -- along with those previously exposed -- under it. That the expiration of the authority and the passage of the USA Freedom Act may have provided it with a better broom is unexpectedly fortuitous.

Permalink | Comments | Email This Story
]]>you-sort-of-won!-what-more-do-you-want?https://www.techdirt.com/comment_rss.php?sid=20150727/23204031771Tue, 28 Jul 2015 07:35:00 PDTDirector Of National Intelligence Hammers Final Official Nail Into Bulk Phone Records ProgramTim Cushinghttps://www.techdirt.com/articles/20150727/20403031770/director-national-intelligence-hammers-final-official-nail-into-bulk-phone-records-program.shtml
https://www.techdirt.com/articles/20150727/20403031770/director-national-intelligence-hammers-final-official-nail-into-bulk-phone-records-program.shtml
The Office of the Director of National Intelligence has issued a statement addressing the inevitable shutdown of the Section 215 bulk phone metadata program.

NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015. However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.

Caveats apply. Data will still be held as required by a handful of ongoing lawsuits. With the "bulk" part of the bulk records program shut down (but not completely), the government is obviously hoping for a speedy end to the litigation resulting from the Snowden leaks. That's the other motivating factor behind this public statement that not only states an end date, but the additional restrictions past that point.

This is a pretty remarkable moment in the security v. privacy battle, but there are still reasons to be concerned. The bulk telephony metadata program has received a majority of the focus since Snowden's initial leak and the NSA, at times, has seemed almost too willing to let this program act as a scapegoat for its multiple privacy-violating surveillance programs.

Not that there haven't been seriously heated (and seriously misguided) arguments offered in support of this program, but if you take a close look at the history of the debate over Section 215, the most-spirited defenses have not been raised by the NSA, but by legislators and former intelligence officials. The program appears to have been sacrificed in order to prevent more intrusive surveillance programs from being subjected to more intense scrutiny.

And it's not even the totality of what can be collected under Section 215. The statement from the ODNI specifically addresses only one kind of "tangible thing."

The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

We don't know what else is being collected in bulk under the PATRIOT Act provision -- the same authority that expired this year and was replaced with the stipulations of the USA Freedom Act -- but we know it's more than just "telephony metadata." "Tangible things" encompasses far more than phone metadata ("books, records, papers, documents, and other items"), but this statement -- as well as arguments it's made in court in support of the six-month wind-down period -- only address phone records.

The Second Circuit Court found that the bulk collection of records under Section 215 was likely illegal. That opinion called into question anything collected under this authority, but the government here (and in its recent filing in the Second Circuit Court) acts as though the "illegal" collection activity is limited solely to phone records.

Other NSA programs are going to be far more useful in gathering data and intelligence than the collection of phone records. Phone calls may never go away entirely, but the shift to mobile communications (followed shortly thereafter by the shift to feature phones and smartphones) has made phone calls the least used feature on these devices. Messaging programs and social media platforms now carry the bulk of everyday communications. And the NSA has programs in place to sweep up these as well, whether as content or metadata. So, all of this focus on "telephony" only serves to obscure what else it may still collect with the revamped program, as well as everything else it does under much more secretive legal authorities.

Permalink | Comments | Email This Story
]]>will-still-need-six-to-nine-months-of-additional-hammering-thoughhttps://www.techdirt.com/comment_rss.php?sid=20150727/20403031770Mon, 11 May 2015 06:10:23 PDTLatest Explanation For James Clapper Lying About 'Essential' NSA Spy Program: 'He Forgot About It'Mike Masnickhttps://www.techdirt.com/articles/20150508/18041530944/latest-explanation-james-clapper-lying-about-essential-nsa-spy-program-he-forgot-about-it.shtml
https://www.techdirt.com/articles/20150508/18041530944/latest-explanation-james-clapper-lying-about-essential-nsa-spy-program-he-forgot-about-it.shtmlseen this video of James Clapper lying to Senator Ron Wyden and the American public while testifying before Congress in early 2013:

Here's the key transcript:

Wyden: Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?

Clapper: No sir.

Wyden: It does not?

Clapper: Not wittingly. There are cases where they could, inadvertently perhaps, collect—but not wittingly.

This was a lie. Many people believed it was a lie at the time, but that was confirmed thanks to the documents leaked by Ed Snowden, who later claimed that seeing that bit of testimony helped convince him that he needed to go through with his plan to leak this information.

James Clapper, of course, is the Director of National Intelligence, and the heads of the various intelligence agencies basically report in to him. He's still in that job, which many people argue is a complete travesty. He flat out lied to Congress and got away with it.

What's been really odd is that the story as to why Clapper lied seems to keep changing. When questioned about this, Clapper's initial response was that he thought that Wyden was asking about collection of email information, which is clearly not the case if you just listen to the actual question. Wyden, pretty clearly, says "any type of data at all." About a week later, Clapper changed his story, saying that he believed the question was an unfair "loaded question" (he compared it to the "when did you stop beating your wife" type of question -- even though it's not that at all) and then said that he gave "the least untruthful answer."

This didn't make much sense either -- and it made even less sense when Senator Wyden revealed that he didn't just spring this question on Clapper, but had sent it to Clapper's office a day ahead so he could review the question and be aware of what he was to be asked. On top of that, Wyden revealed that after Clapper's answer -- which Wyden knew was false -- Wyden staffers sent a letter to Clapper asking him if he wanted to amend his answer, and Clapper's office refused to do so.

Finally, about a month later, Clapper finally admitted that he lied, now claiming that it was all a "mistake."

"mistakes will happen, and when I make one, I correct it."

Except... he had been given the chance to correct it and he didn't. It was only after it was publicly revealed (via Snowden and Glenn Greenwald) that Clapper was outright lying that he claimed he made "a mistake." But, even then, it only came after pretending he misheard the question, then claiming that it was a loaded question (when it was not). And then, of course, months later, Clapper could pretend, with the benefit of hindsight, that he should have been more forthright about the program, but that's difficult to believe. And none of it matters, because the DOJ refuses to investigate Clapper for lying.

And yet, Clapper's story continues to keep changing. Late last year, he tried to rewrite the story, suggesting that he was sandbagged and caught off-guard, rather than lying:

“When I got accused of lying to congress because of a mistake ... I had to answer on the spot about a specific classified program in a general, unsecure setting.”

“This was not an untruth or a falsehood. This was just a mistake on his part,” Robert Litt, the general counsel for the Office of the Director of National Intelligence, said during a panel discussion hosted by the Advisory Committee on Transparency on Friday.

“We all make mistakes.”

Litt on Friday said that Clapper merely did not have a chance to prepare an answer for Wyden and forgot about the phone records program when asked about it on the spot.

“We were notified the day before that Sen. Wyden was going to ask this question and the director of national intelligence did not get a chance to review it,” Litt said.

“He was hit unaware by the question,” Litt added. “After this hearing I went to him and I said, ‘Gee, you were wrong on this.’ And it was perfectly clear that he had absolutely forgotten the existence of the 215 program.”

Instead, Litt said, Clapper had been thinking about separate programs authorized under Section 702 of the Foreign Intelligence Surveillance Act, which the NSA has used to collect massive amounts of foreigners’ Internet data. The law explicitly prohibits the government from gathering the same kind of data about Americans, unless t is “incidental.”

“If you read his answer it is perfectly clear that he was thinking about the 702 program,” Litt said. “When he is talking about not wittingly collecting, he is talking about incidental collection.”

Litt, he said, also erred after the hearing by not sending a letter to the panel to correct the mistake.

First of all, while Litt at least is admitting that Wyden had sent the question in beforehand, he leaves out the part about Wyden asking Clapper's office the next day if it wanted to amend Clapper's answer. If it's true that Litt immediately told him that Clapper was wrong, then you would think when asked by Wyden if he wanted to amend his answer, he would have done so. He did not. So either Litt told Clapper he was wrong and Clapper said, "Hey, let's let that lie stand," or Litt is not being truthful here either. It wasn't just them not sending a letter correcting the mistake, but it was directly rejecting Wyden's staff specifically asking them if they wanted to correct the record. That shows that any claim that Clapper just "forgot" or even "misspoke" has to be a flat out lie, since he had a clear opportunity to correct the mistake and was even asked to do so, and consciously chose not to do so.

But much more importantly, considering just how much Clapper and others have been prattling on for years about how "crucial" and "important" the bulk phone records collection is in protecting the American public, it is simply unbelievable to argue that Clapper would "forget" about the program. Either that means the program is not important at all... or that someone is lying.

The fact that Clapper's story on this keeps changing suggests he still can't come to admit the obvious answer: he didn't want to reveal his beloved secret program, and so he lied. He just flat out lied. And he's still lying in failing to admit that.

Permalink | Comments | Email This Story
]]>you expect us to believe that?https://www.techdirt.com/comment_rss.php?sid=20150508/18041530944Thu, 5 Mar 2015 08:12:00 PSTClapper: The Attacks We Didn't Prevent In The Past Can't Be Prevented In The Future If Section 215 Is Allowed To DieTim Cushinghttps://www.techdirt.com/articles/20150302/16581330187/clapper-attacks-we-didnt-prevent-past-cant-be-prevented-future-if-section-215-is-allowed-to-die.shtml
https://www.techdirt.com/articles/20150302/16581330187/clapper-attacks-we-didnt-prevent-past-cant-be-prevented-future-if-section-215-is-allowed-to-die.shtml
Over a decade has passed since the 9/11 attacks, and the intelligence community still won't let the attack it didn't prevent be laid to rest. It is exhumed over and over again -- its tattered remains waved in front of legislators and the public, accompanied by shouts of, "YOU SEE THIS?!? THIS IS WHAT HAPPENS WHEN WE DON'T GET OUR WAY!"

It's grotesque and ghastly and -- quite frankly -- more than a little tiresome. The NSA's Section 215 program is set to expire on June 1st and James Clapper is making statements in its defense -- statements that read like someone attempting to sound more disappointed than angry. But this is James Clapper speaking, and all prior evidence points to him being unwilling to make any concessions on the domestic surveillance front.

"In the end, the Congress giveth and the Congress taketh away," he said. "If the Congress, in its wisdom, decides the candle isn't worth the flame, the juice isn't worth the squeeze, whatever metaphor you want to use, that's fine."

"The intelligence community will do all we can within the law to do what we can to protect the country. I have to say that every time we lose another tool in our toolkit, it raises the risk," he added. "If that tool is taken away from us, 215, and, some untoward incident happens which should have been thwarted had we had it, I hope everyone involved in that decision assumes the responsibility and it not be blamed, if we have another failure, exclusively on the intelligence community."

The subtext is clear and Jason Koebler at Vice spells it out succinctly: Kill Section 215, but don't blame us if another 9/11 happens.

The intelligence community continues to argue -- without evidence -- that the program has aided in combating terrorism. It can't say how or offer any details as to attacks thwarted, but it makes the assertion all the same. The Privacy and Civil Liberties Oversight Board (PCLOB) has access to intelligence documents most Americans will never see and yet it came to this conclusion: the bulk records program is both useless and a violation of civil liberties.

Clapper's defense of the program seems to be faith-based. In a single clumsy metaphor, Clapper summons the spirit of two Simpsons characters.

"215, to me, is much like my fire insurance policy for my home," he said. "The house never burns down, but I buy fire insurance, just in case."

Lisa Simpson argued against Homer's specious "bear patrol" reasoning by claiming a rock she found on the ground could keep tigers away -- noting that the lack of nearby tigers "proved" the rock worked. This is Clapper's sales pitch: the lack of another 9/11 attack is "proof" the program is necessary. Well, we haven't had a Summer Olympics hosted in this country since 1996, so it could also be claimed that Section 215 of the PATRIOT Act has been instrumental in preventing the US from hosting this extremely destructive parasitemomentous event. After all, the roots of Section 215 also trace back to a 1990s partnership between the NSA and DEA to collect phone records on calls to foreign countries originating in the US.

Ned Flanders -- perhaps the most upstanding (and naïve) Springfieldian -- notably considered insurance coverage to be a form of gambling. Clapper's "gamble" -- his supposed "insurance" -- bets on surveillance state wins while putting Americans' privacy up as collateral. Even when viewed through Clapper's twisted perspective, the metaphor fails.

The difference here, is that the NSA's "insurance" is intrusive information on just about every citizen in the United States, regardless of whether or not they've done anything wrong.

The defenders of the surveillance framework always point to attacks they didn't prevent (like the Boston Bombing) as justification for intrusive spy programs. That argument alone should be greeted with riotous, disbelieving laughter. But they press this even further, giving themselves credit for every lull between major attacks and ignoring every report or investigation that shows their favorite programs do little more than make the job of counterterrorism more difficult.

Clapper seems to believe the death of the Section 215 program will be the death of us all. It's an absurd belief. Unfortunately, it's shared by far too many of those in the position to prevent its expiration.

Permalink | Comments | Email This Story
]]>faith-based-surveillancehttps://www.techdirt.com/comment_rss.php?sid=20150302/16581330187Thu, 5 Feb 2015 09:20:15 PSTIntelligence Community's Top Lawyer Endorses Desire For Unicorns, Leprechauns & Golden Keys That Don't Undermine EncryptionMike Masnickhttps://www.techdirt.com/articles/20150204/17480229914/intelligence-communitys-top-lawyer-endorses-desire-unicorns-leprechauns-golden-keys-that-dont-undermine-encryption.shtml
https://www.techdirt.com/articles/20150204/17480229914/intelligence-communitys-top-lawyer-endorses-desire-unicorns-leprechauns-golden-keys-that-dont-undermine-encryption.shtmlwell worth reading. There's a lot of "yes, we could have done a better job explaining ourselves, and we promise we're learning" kind of talk, but little of real substance. However, at the very end of the speech, he joins the ridiculous bandwagon of ignorant government and law enforcement attacking the idea of encryption the government can't crack. But, similar to the Washington Post's magical golden key (not a backdoor!) proposal, Litt has some wishful thinking about a magic key that only the government can use:

Encryption is a critical tool to protect privacy, to facilitate commerce, and to provide security, and the United States supports its use. At the same time, the increasing use of encryption that cannot be decrypted when we have the lawful authority to collect information risks allowing criminals, terrorists, hackers and other threats to escape detection. As President Obama recently said, “[i]f we get into a situation in which the technologies do not allow us at all to track someone that we’re confident is a terrorist …that’s a problem.” I’m not a cryptographer, but I am an optimist: I believe that if our businesses and academics put their mind to it, they will find a solution that does not compromise the integrity of encryption technology but that enables both encryption to protect privacy and decryption under lawful authority to protect national security.

I'm not sure how many times in how many different ways this needs to be explained, but what they're asking for is a fantasy. You cannot put a backdoor in encryption and create a magic rule that says "only the government can use this in lawful situations." That's just not how it works. At all. The very idea of decryption by a third party "compromises the integrity of the encryption technology," almost by definition.

Separately, Litt's reassurances elsewhere ring incredibly hollow. In trying to respond to concerns about so-called "incidental" collection of information under Section 702 of the FISA Amendments Act (information that the NSA isn't allowed to collect, but does so anyway and then hangs onto it and makes it searchable by a variety of government agencies), he notes that they have "reaffirmed" that such data must be deleted if they're determined to have no foreign intelligence value, but then (no joke!) his own speech has an asterisk with a giant loophole. Here is the speech posted on the ODNI's own Tumblr page:

It's like they're really not even trying to hide the massive loopholes they've built in. In case you're wondering, the loopholes buried in that asterisk include basically everything:

Under the new policy, in addition to any other limitations imposed by applicable law, including FISA, any communication to or from, or information about, a U.S. person acquired under Section 702 of FISA shall not be introduced as evidence against that U.S. person in any criminal proceeding except (1) with the prior approval of the Attorney General and (2) in (A) criminal proceedings related to national security (such as terrorism, proliferation, espionage, or cybersecurity) or (B) other prosecutions of crimes involving (i) death; (ii) kidnapping; (iii) substantial bodily harm; (iv) conduct that constitutes a criminal offense that is a specified offense against a minor as defined in 42 USC 16911; (v) incapacitation or destruction of critical infrastructure as defined in 42 USC 5195c(e); (vi) cybersecurity; (vii) transnational crimes; (or (vii) human trafficking.

Yes, some of the activities covered by this list are pretty bad. But it doesn't change the fact that the NSA isn't supposed to collect such information or retain it at all. Writing in all these exceptions is pretty damn broad, especially given the NSA and its "cute" interpretations of the law.

Permalink | Comments | Email This Story
]]>same thinghttps://www.techdirt.com/comment_rss.php?sid=20150204/17480229914Tue, 3 Feb 2015 14:43:03 PSTMinimal Tweaks To The Government's Surveillance Apparatus Reaffirm That Status Is Still Mainly QuoTim Cushinghttps://www.techdirt.com/articles/20150203/11085229895/minimal-tweaks-to-governments-surveillance-apparatus-reaffirm-that-status-is-still-mainly-quo.shtml
https://www.techdirt.com/articles/20150203/11085229895/minimal-tweaks-to-governments-surveillance-apparatus-reaffirm-that-status-is-still-mainly-quo.shtml
The Privacy and Civil Liberties Oversight Board -- reconvened in a hurry after Snowden began leaking -- has just released a followup report on its recommendations for NSA surveillance program fixes. What it found was that some progress had been made, but most of its major recommendations (like shutting down the Section 215 program) were barely underway. In some cases, its recommendations had been ignored completely -- like its call for some measure of the Section 215 and Section 702 program's effectiveness in fighting terrorism. To date, no data has been provided by the NSA that would justify these bulk surveillance programs.

The Office of the Director of National Intelligence has just released a list of surveillance program tweaks for the NSA (and the agencies that dip into the haystacks: the FBI and CIA). Changes are being made, although many of them are minimal and others are hidden behind a wall of secrecy. The administration -- which ordered the convening of the PCLOB and backed up its findings -- has said very little about the NSA's programs over the intervening months.

The New York Times, covering the rule tweaks, was only able to obtain statements from unnamed government officials. The exposure of surveillance on foreign leaders in allied countries (primarily Germany's Angela Merkel) generated a lot of heat, ultimately resulting in a rare promise from President Obama himself that this would be discontinued. Presumably, other world leaders have been dropped from the surveillance list, but it's anyone's guess which ones are no longer being eyeballed by the NSA.

Mr. Obama has never said whom, beyond Ms. Merkel, he took off the list of foreign leaders whose conversations are monitored, but it appeared that programs in Mexico and Brazil continued, while several dozen leaders have been removed.

“There’s now a process in place that the National Security Council runs,” said one senior official. But the results of that process — especially the names of leaders whom the White House plans to keep monitoring — will remain secret.

The administration has announced some smaller tweaks as well, including some targeting one of its most abused pieces of paper: the National Security Letter. When a warrant or information request is rejected, agencies (mainly the FBI) deploy these instead. NSLs will still be abused, but the public may have a chance to finally see the abuse for themselves.

In the new rules, “the F.B.I. will now presumptively terminate National Security Letter nondisclosure orders at the earlier of three years” after the opening of an investigation, the administration will announce, or at the close of the investigations. But an exception can be made if a midlevel F.B.I. official offers a written justification for continued secrecy.

The exception can be expected to swallow the rule. Rarely, if ever, does any judge challenge the government's national security claims -- which will likely be the "written justification" used most to push NSL gag orders in the direction of "forever."

There is a small chance legislators will allow the Section 215 program to die. The expiration date for the bulk metadata program is June 1st. The companies affected by these orders have demanded they be "compelled" to turn over the data, which would take an act of Congress. If Congress isn't up for it, the expiration date could pass and finally end the controversial (and useless) program. But given recent terrorist attacks and highly-visible ISIS activity, the legislative pendulum is likely swinging back towards more surveillance and fewer surveillance reforms.

The changes that are being implemented don't solely affect the NSA. As noted above, the FBI and CIA also have access to the NSA's collections under these programs (phone metadata, email content). It's no secret the FBI has used NSA data in the past (along with other related agencies), disguising its origin through parallel construction. The programs' guidelines allow the NSA to pass on information related to criminal activity or possible criminal activity. This may no longer be the case. The wording is vague but as Marcy Wheeler (of the essential surveillance-focused blog Emptywheel) reads it, it seems to suggest the FBI will no longer have this option.

If FBI is adopting "new" policy of only using 702 info against people in NatSec cases that means existing policy was?

The old policy can be somewhat gleaned from FISA court opinions obtained via FOIA lawsuits. FISA judge Roger Vinson noted this in his 2007 decision granting the NSA permission to continue with its email collection program (Section 702):

Information that is not foreign intelligence information, but reasonably appears to be evidence of a crime that has been, is being, or is about to be committed, may be disseminated (including United States person identities) to the FBI and other appropriate federal law enforcement authorities, in accordance with 50 U.S.C. 1806(b), Executive Order No. 12333…

This would indicate the FBI has used these programs in its investigative work over the past seven years, if not longer. The parallel construction hid the information's origin from both the courts and defendants. There was simply no way the government was going to expose its domestic surveillance programs in court, at least not until Snowden's leaks made its secrecy moot.

Now, after multiple years of the FBI allowing the NSA to do its dirty work in the name of "national security" (something the FBI would never be allowed to do under the auspices of law enforcement), the system is finally being reset to where most Americans always assumed it had been: NSA for national security and FBI for law enforcement, rather than the perversely symbiotic relationship the agencies talked legislators and the FISA court into supporting. Not that this means the FBI won't have access to the data (it is in the national security business as well), but it should curtail its tendency to use the easiest available method, regardless of legality.

Permalink | Comments | Email This Story
]]>although-the-FBI-may-be-partially-out-of-the-parallel-construction-businesshttps://www.techdirt.com/comment_rss.php?sid=20150203/11085229895Thu, 8 Jan 2015 14:46:36 PSTJames Clapper Claims That Sony Hack 'The Most Serious Cyberattack On The US Yet'; Which Suggests No Serious CyberattacksMike Masnickhttps://www.techdirt.com/articles/20150107/17402029626/james-clapper-claims-that-sony-hack-most-serious-cyberattack-us-yet-which-suggests-no-serious-cyberattacks.shtml
https://www.techdirt.com/articles/20150107/17402029626/james-clapper-claims-that-sony-hack-most-serious-cyberattack-us-yet-which-suggests-no-serious-cyberattacks.shtml"the most serious cyberattack" made to date against the US. If that's true (and it's likely not), then that really kind of undermines all the claims about just how "serious" cyberattacks are to national security. Yes, the Sony Hack was incredibly embarrassing to Sony and some individuals and partners. Yes, it may cost Sony a significant amount of money in cleaning up the mess. But no one died. No serious long-term problems were created by it. No one has to "rebuild" a city. The actual impact of the hack on the day-to-day lives of most people is next to nothing. For years, people like Clapper have been warning of the pending "cyber Pearl Harbor," and if this is the best they've got so far... sorry, but that's just not that serious.

At the same event, Clapper apparently insisted not only that he was sure North Korea was behind the hack, but that he knew who ordered it. He also revealed some more info on the (little known) fact that he had traveled to North Korea two weeks before the hack, where he met with the guy he now says is responsible. Marcy Wheeler raises some questions about whether Clapper's trip had something to do with the hack (if it really was done by North Korea).

Speaking of which, at the very same event, FBI director James Comey, once again, insisted that North Korea was responsible and claimed that the hackers "got sloppy" and revealed their own IP addresses. It could be that. Or whoever did it could have been slightly more sophisticated, leaving false markers pointing to North Korea. But, as of right now the FBI is sure that sloppiness is a better excuse.

Either way, it still seems like much more is being made of the Sony Hack than it deserves. Yes, it was a big hack, and yes, it revealed a ton of private documents that clearly has embarrassed Sony quite a bit. But if the future of war involves embarrassing big companies, rather than killing thousands of people -- I think I'd make that trade off.

Permalink | Comments | Email This Story
]]>go-on-with-your-dayhttps://www.techdirt.com/comment_rss.php?sid=20150107/17402029626Tue, 16 Dec 2014 06:15:29 PSTNewly-Released Documents Show NSA Claiming An Email Address Is A 'Facility,' Skirting Probable Cause RequirementsTim Cushinghttps://www.techdirt.com/articles/20141214/08210429437/newly-released-documents-show-nsa-claiming-email-address-is-facility-skirting-probable-cause-requirements.shtml
https://www.techdirt.com/articles/20141214/08210429437/newly-released-documents-show-nsa-claiming-email-address-is-facility-skirting-probable-cause-requirements.shtmlfocused elsewhere, it must mean it's time for another document release from James Clapper's office (ODNI). The heavily-redacted documents dumped by the ODNI deal with the precursors to the FISA Amendments Act (FAA): the Terrorist Surveillance Program (TSP) and 2007's interim legislation (Protect America Act or PAA) that bridged the gap between the TSP and the FAA.

The most interesting document in the release is an April 3, 2007 order [pdf link] from the FISA court which contains some rare hesitation from a FISA judge (Roger Vinson) as he deals with the NSA's desire to capture communications without providing probable cause support for its actions.

A footnote attached to the first paragraph of the order makes it clear Judge Vinson felt he was drifting into uncharted waters, with much of that being due to the NSA's shifting definitions of surveillance terms in its previous legal arguments.

This order and opinion rests on an assumption, rather than a holding, that the surveillance at issue is 'electronic surveillance' as defined at 50 U.S.C. 1801(f), and that the application is within the jurisdiction of this Court.

Vinson's order points out that the NSA attempted to change the rules of its interception program, both in terms of the evidence it provides as well as its desire to collect communications of known US persons.

Until recently, these were the only circumstances in which the government had sought, or this Court had entered, a FISA order authorizing electronic surveillance of the telephone or e-mail communications of suspected international terrorists. However, on December 13, 2006, in Docket No. [redacted], the government filed an application seeking an order that would authorize the electronic surveillance of telephone numbers and e-mail addresses thought to be used by international terrorists without a judge's making the probable cause findings described above, either before the initiation of surveillance of within the 72 hours specified in 1805(f)...

The NSA claimed in its support memos that the probable cause finding was preventing the agency from working at maximum efficiency, causing it to fall behind a constantly moving terrorist threat. In addition, its January 2007 requests included one seeking permission to collect communications from known US persons, again without meeting even the lowered bar of probable cause required by the FISA court. While the court did hand down a number of stipulations, it allowed the NSA to use its proposed "emergency FISA application" to skirt probable cause requirements and the 72-hour notice period. It also granted this for rolling 90-day periods, subject to renewal. By doing this, the FISA court turned "emergency" surveillance into the new normal.

Beyond that, the NSA also sought to expand its set of "selectors." Previously, email addresses and phone numbers known to be used by (or about to be used by) members or agents of "foreign powers" or other redacted terrorist organizations were the only ones allowed to be used as selectors when collecting communications. In these applications, the NSA wanted to start contact chaining -- tasking email addresses or phone numbers that referred to previous selectors as new selectors. Judge Vinson's order notes that there's no way the NSA can hope to meet the probable cause requirement by doing this.

The acquisition of e-mail communications because they refer to a selector e-mail address does not appear to have been authorized under FISA prior to Docket [redacted] and is discussed further below.

The "further discussion" includes Vinson highlighting this relevant part of the FISA court's probable cause requirements.

(B) each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power.

Because the NSA couldn't credibly claim that these new guilty-by-association selectors are being used by the targets it was authorized to collect from, the agency deployed a number of word games. Vinson points out that one memorandum of law defines "facilities" one way (more traditionally as an operations base), while the most recent one defined the word quite differently. (In particular, the NSA maintained that an email address or phone number is a "facility" in and of itself, simply because both "facilitate the transmission of communications." Footnote on page 32.)

Underlying the government's position, therefore, is the premise that 1805(a)(3)(B) can be applied so variously that a FISA judge has great discretion in determining what "facilities" should be the subject of the judge's probable cause analysis.

Much of what follows is redacted, especially where further clarification would be extremely useful. Reading between the black blocks, it appears the NSA attempted to argue that the collection of communications was distinct from the term "electronic surveillance," except for the gathering of internet communications, which it claims is synonymous with the statutory definition. After reading through the government's multiple citations (most of which the judge deems irrelevant) in support of its seemingly contrary arguments, Vinson arrives at this conclusion.

Tellingly, none of the cited eases stand for the proposition on which this application rests that electronic surveillance is not 'directed' at particular phone numbers and e-mail addresses.

That would be the NSA's argument that a "facility" can be an email address, except for the times when the more traditional definition allows it to cast a wider net. Vinson further points out that accepting the NSA's arguments means discarding the intent of Congress and removing the court's ability to act as a check against executive branch overreach.

However, even if the statutory language were as elastic as the government contends, it would still be incumbent on me to apply the language in the manner that furthers the intent of Congress. In determining what interpretation would best further congressional intent, it is appropriate to consult legislative history. That legislative history makes clear that the purpose of pre-surveillance judicial review is to protect the fourth amendment rights of US persons. Congress intended the pre-surveillance "judicial warrant procedure," and particularly the judge's probable cause findings, to provide an "external check" on executive branch decisions to conduct surveillance.

Contrary to this intent of Congress, the probable cause inquiry proposed by the government could not possibly restrain executive branch decisions to direct surveillance at any particular individual, telephone number or e-mail address.

[...]

Thus, under the government's interpretation, the judge's probable cause findings have no bearing on the salient question: whether the communications to be acquired will relate to the targeted foreign powers. As discussed below, the government would have all of the probable cause findings bearing on that question made by executive branch officials, subject to after-the-fact reporting to the Court, through processes characterized by the government as minimization. That result cannot be squared with the statutory purpose of providing a pre-surveillance "external check" on surveillance decisions, or with the expectation of Congress that the role of the FISA judge would be the same as that of judges under existing law enforcement warrant procedures.

He concludes:

I am unable, on the basis of the facts submitted by the applicant, to find probable cause to believe that each of these facilities "is being used, or is about to be used, by a foreign power or an agent of a foreign power." The application contains no facts that would support such a finding.

In this, we see the NSA behaving much like its spiritual brethren in law enforcement and investigative agencies -- seeking to route around probable cause requirements under the pretense that bad guys will always be at least one step ahead if the government is forced to follow the rules. Rather than stay within the confines, the NSA plays word games in an effort to bypass governing statutes. The agency has demonstrated repeatedly that it has little desire to work within the framework of the law and has on multiple occasions attempted to short-circuit the system by feeding the court bad information and pursuing elliptical legal arguments. The end result is the current surveillance framework, thanks to the FISA Amendments Act's codifying of the NSA's questionable collections under the Protect America Act.

Permalink | Comments | Email This Story
]]>so,-you-know,-more-of-the-samehttps://www.techdirt.com/comment_rss.php?sid=20141214/08210429437Wed, 22 Oct 2014 10:22:00 PDTJames Clapper's Report On Progress Towards President's Surveillance Reforms Mainly Explores Executive Branch LoopholesTim Cushinghttps://www.techdirt.com/articles/20141018/17281828877/odnis-interim-report-progress-towards-presidents-surveillance-reforms-mainly-explores-executive-branch-loopholes.shtml
https://www.techdirt.com/articles/20141018/17281828877/odnis-interim-report-progress-towards-presidents-surveillance-reforms-mainly-explores-executive-branch-loopholes.shtml
James Clapper, the Director of National Intelligence, has issued an interim report on the intelligence community's minimal progress towards minimal compliance with the minimal reforms ordered by the administration last year in response to the Snowden leaks. Presidential Policy Directive 28 (PPD-28) was issued in January and Jame Clapper's office is proud to announce that it's still in the process of thinking about complying with the stuff the President asked them to do so many months ago.

As we work to meet the January 2015 deadline, PPD-28 called on the Director of National Intelligence to prepare an interim report on the status of our efforts and to evaluate, in coordination with the Department of Justice and the rest of the Intelligence Community, additional retention and dissemination safeguards.

The DNI's interim report is now being made available to the public in line with our pledge to share as much information about sensitive intelligence activities as is possible, consistent with our national security.

We're blown away with all the openness, Mr. Clapper. This must be the same transparency that has seen Clapper's office dump documents without referencing the federal lawsuits prompting this "largesse." Or the same transparency that tossed out the above-mentioned presidential directive -- one month after it went public -- with a self-congratulatory Tumblr post. (Yes. That is the world we live in now. The Director of National Intelligence speaks to the public through Tumblr, a venue more known for its porn gifs and faint odor of Yahoo! desperation. Thanks, Obama Snowden.)

Here are a few choice sections from our initial read of today's report:

"To that end, PPD-28 states that personal information of non-U.S. persons shall be retained and disseminated only if the retention and dissemination 'of comparable information concerning U.S. persons would be permitted under section 2.3 of Executive Order 12333.'"

We are disheartened to see ODNI pinning its privacy protections to Executive Order 12333. EO 12333 is a poorly-understood Reagan-era authority; one former State Department chief said:

"…Section 215 permits the bulk collection only of U.S. telephone metadata — lists of incoming and outgoing phone numbers — but not audio of the calls.

Executive Order 12333 contains no such protections for U.S. persons if the collection occurs outside U.S. borders. Issued by President Ronald Reagan in 1981 to authorize foreign intelligence investigations, 12333 is not a statute and has never been subject to meaningful oversight from Congress or any court…"

Repeatedly, the interim report addresses the new ideals… and then immediately appends, "unless EO 12333 says we can do otherwise." Admittedly, this flaw traces back to the administration's directive, which contains much of the "unless EO 12333" language referred to in the report.

Executive Order 12333 defines this term as "information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations, foreign persons, or international terrorists." This definition ensures that the Intelligence Community is able to retain and disseminate information necessary for the United States to advance its national security and foreign policy interests. Nonetheless, the definition's reference to "information relating to . . . activities of. . . foreign persons,' if read literally, could permit an element to permanently retain or to disseminate any information about any activity of any foreign person. Intelligence Community elements should permanently retain or disseminate such personal information only if the personal information relates to an authorized intelligence requirement, is reasonably believed to be evidence of a crime, or meets one of the other standards for retention or dissemination identified in section 2.3 of Executive Order 12333 for U.S. person information, and not solely because of the person's non-U.S. person status.

The EFF asks if the NSA has ever used this reading to its own advantage. Certainly no answer is expected, but the agency has long been a fan of fluid terms and malleable definitions. Which brings us to the ultimate show of executive branch deference, albeit one that implies the administration will help the agency do the things it really wants to, Presidential Policy Directive or no.

It is important that elements have the ability to deviate from their procedures when national security requires doing so, but only with approval at a senior level within the Intelligence Community element and notice to the DNI and the Attorney General.

Even the most modest of reforms still apparently needs ample breathing room and the ODNI carves out plenty with this single paragraph -- all without even bothering to address the mass surveillance programs that prompted the reforms in the first place.

Permalink | Comments | Email This Story
]]>not-so-much-what-it-can-do,-but-what-it-can-get-away-withhttps://www.techdirt.com/comment_rss.php?sid=20141018/17281828877Fri, 19 Sep 2014 07:58:22 PDTTwo Top Intelligence Officials, Both Of Whom Admitted To Lying In The Past, Now Try To Rewrite History And Deny The LiesMike Masnickhttps://www.techdirt.com/articles/20140918/18452928569/two-top-intelligence-officials-both-whom-admitted-to-lying-past-now-try-to-rewrite-history-deny-lies.shtml
https://www.techdirt.com/articles/20140918/18452928569/two-top-intelligence-officials-both-whom-admitted-to-lying-past-now-try-to-rewrite-history-deny-lies.shtml
Wyden: Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?

Clapper: No sir.

Wyden: It does not?

Clapper: Not wittingly. There are cases where they could, inadvertently perhaps, collect—but not wittingly.
At first, Clapper denied lying, saying he merely misunderstood the question, and thought it was about "voyeuristically" poring through emails. But the question is pretty explicit: "any type of data at all." Later, Clapper changed his story to claim that he did understand the question, but was taken off guard by it and gave "the least untruthful answer" he could. At that point, Wyden pointed out that he had actually given Clapper the questions a day earlier and then reached out to his office after to confirm that his answers were accurate, leaving Clapper plenty of opportunity to correct his error -- but Clapper did not. At that point, Clapper finally admitted he had lied and gave a semi-apology to Wyden, saying: "mistakes will happen, and when I make one, I correct it."

Except, now, over a year later, Clapper is back to denying that he lied. Before a "friendly" audience of defense and intelligence contractors (one of the questions to him started out, "You have a very supportive private sector in front of you..."), Clapper again pretended that he never lied to Congress at all. Even worse, he did so while introducing new "principles of professional ethics" for the intelligence community, and arguing that he did so because of the awful situation he endured when he was falsely accused of lying:

“When I got accused of lying to congress because of a mistake ... I had to answer on the spot about a specific classified program in a general, unsecure setting.”

Except, almost none of that is true. It wasn't on the spot. Wyden gave him the questions a day earlier. He didn't have to answer the question (before and since that questioning, Clapper and others have responded to nearly identical questions by saying they could only give details in a classified setting). And, again, Wyden gave Clapper a chance to correct the answer via a letter, and Clapper stood by the original letter. In other words, he lied. He flat out lied. And then he stood by it afterwards when he had a chance to correct the lie. And now he's lying about the lying. Oh, and as for the new "ethics" principles? 1) mission; 2) truth; 3) lawfulness; 4) integrity; 5) stewardship; 6) excellence; and 7) diversity.

Moving on, we've got CIA director John Brennan. After the big mess with Senator Dianne Feinstein accusing the CIA of spying on Senate staffers, Brennan tried to deny it (while his denials more or less confirmed the facts). However, he specifically told reporters:

"Let me assure you the CIA was in no way spying on [the Senate Intelligence Committee] or the Senate."

He also claimed that "when the facts come out on this," those who claimed that there was "spying" by the CIA "will be proved wrong." Fast forward a few months and the CIA's Inspector General confirmed everything in Feinstein's story, leading Brennan to apologize to Feinstein. In fact, the full CIA report revealed that the spying was even worse than Feinstein initially detailed.

And... guess what? Brennan is now denying he lied. At the very same conference he pulled a "who, me?" routine:

"Thwart the investigation? Hacking in? We did not."

Note that he's parsing words carefully. He's focusing on "thwarting the investigation" and "hacking" in -- though that depends on your definition of hacking. Under the DOJ's definition, what the CIA did was clearly hacking. It's why Senators Wyden and Udall asked Brennan about whether or not the US hacking statute, the CFAA, applied to the CIA. Because the CIA clearly was unauthorized to access the Senate staffers' network, based on a previous fight with the Senate Intelligence Committee, as detailed by Feinstein when she revealed the details:

Per an exchange of letters in 2009, then-Vice Chairman Bond, then-Director Panetta, and I agreed in an exchange of letters that the CIA was to provide a “stand-alone computer system” with a “network drive” “segregated from CIA networks” for the committee that would only be accessed by information technology personnel at the CIA—who would “not be permitted to” “share information from the system with other [CIA] personnel, except as otherwise authorized by the committee.”

Yet, now Brennan is twisting the story, to say that there was no hacking because they were the CIA's computers all along:

On Thursday, he pointed out the computers technically belonged to the CIA, even though they had been partitioned to create private work space for the Senate staffers.

There was more hairsplitting when he explained his apology. “I apologized then to them for any improper access that was done, despite the fact that we didn’t have a memorandum of understanding.”

Again, that directly contradicts reality. We'll see if Feinstein decides to respond to all of this, but Senator Wyden already has with a bit of internet slang in this hilarious tweet:

If you can't see it, that's Wyden's press office linking to one of these stories, saying "smh" which is internet shorthand for "shaking my head."

Permalink | Comments | Email This Story
]]>don't get dizzy from all that spinhttps://www.techdirt.com/comment_rss.php?sid=20140918/18452928569Fri, 5 Sep 2014 13:38:00 PDTNew Intercept Leak Shows That Intelligence Agencies Are Ready And Willing To Perform Economic Espionage If US Tech Edge 'Slips'Tim Cushinghttps://www.techdirt.com/articles/20140905/11222828433/new-intercept-leak-shows-that-intelligence-agencies-are-ready-willing-to-perform-economic-espionage-if-us-tech-edge-slips.shtml
https://www.techdirt.com/articles/20140905/11222828433/new-intercept-leak-shows-that-intelligence-agencies-are-ready-willing-to-perform-economic-espionage-if-us-tech-edge-slips.shtml
The NSA has repeatedly assured the public that it definitely does not perform economic espionage. It may collect metadata and communications from around the world (including that of US citizens) and intercept shipments of computer hardware in order to install its own spying devices, but it doesn't perform espionage in service of American corporate interests.

This was the small thing that set our intelligence agencies slightly above similar agencies in China. Last August, the ODNI (Jame Clapper's office) sent this categorical denial to the Washington Post in response to leaked documents. (Emphasis in original.)

“The department does ***not*** engage in economic espionage in any domain, including cyber.”

A slight change in wording and the denial still holds. Or does it? The Intercept's latest set of documents -- issued by Clapper's office -- show the US government definitely has plans to do the one thing Clapper says we don't: spy for the benefit of US corporations.

The document, the 2009 Quadrennial Intelligence Community Review—provided by NSA whistleblower Edward Snowden—is a fascinating window into the mindset of America’s spies as they identify future threats to the U.S. and lay out the actions the U.S. intelligence community should take in response…

According to this document, one of the threats that the government might call in the services of its intelligence agencies to handle is a slip in America's "technological and innovative edge." The appropriate response in the free world -- especially a country that always tells its citizens they can achieve anything through hard work and determination -- would be to allow the struggling corporations to solve their own problems. If it really needed to get involved, the government could take a close look to see if it was creating bottlenecks with iffy IP laws or its random blend of regulation and deregulation. Anything but take the easiest way out.

But if the American way of life (such as it were) is threatened in the future, Clapper's office recommends letting the spies fix it.

Cheat to win. And saying everyone else is doing it (even if they are) doesn't do anything more than drag the US down to their level. One scenario included in the document posits Russia and India working together to outpace the US. At this point, the NSA and others would step in to perform cyber-espionage, hacking into the foreign research facilities and making off with proprietary data. The data collected would be (this is a direct quote)

...assesse[d] whether and how its findings would be useful to U.S. industry.

As is noted by Glenn Greenwald, there's no indication the US has actually done this in the past. But it is a long-term document, meant to envision the intelligence agencies' roles over the next 20 years. And one of those roles being discussed is stealing secrets to put US companies ahead.

Some may defend this as being a purely speculative document that details numerous what-if scenarios that will never be played out. But that defense is inadequate. The speculations aren't tied to scenarios in which the US government shifts towards a more China-like role and gives up its ambitions of being the leader of the free world. In these scenarios, the United States is presumed to be doing business as a democratic republic -- one that has often sought to rise above this sort of behavior.

The NSA has the capabilities to do many things, some of which remain unexplored (or at least unrevealed). This is one of them. The agency's defenders have argued that it doesn't abuse these powers, but its internal documents (along with statements from former NSA head Keith Alexander) that it will always "play to edges" of its confinements. This document shows it's willing to step into this role if asked to. Or if it thinks it was asked to. Or it may perform this role proactively and ask forgiveness later.

The fact is that this scenario never should have been presented. It's not that much different than using the threat of domestic terrorism as a what-if projection for unencumbered harvesting of US citizens' communications. There are lines you don't cross -- not in this nation -- even hypothetically. Corporate espionage is one of them. Especially when the US Attorney General is handing out indictments for corporate espionage by the Chinese.

Nothing may ever come of this. But it's important for the world to know that offer is on the table.

Permalink | Comments | Email This Story
]]>altitude-of-high-road-rapidly-approaching-sea-levelhttps://www.techdirt.com/comment_rss.php?sid=20140905/11222828433Fri, 22 Aug 2014 18:08:49 PDTJames Clapper's Office Declassifies Another Set Of Fully-Redacted PagesTim Cushinghttps://www.techdirt.com/articles/20140822/13134528295/james-clappers-office-declassifies-another-set-fully-redacted-pages.shtml
https://www.techdirt.com/articles/20140822/13134528295/james-clappers-office-declassifies-another-set-fully-redacted-pages.shtml
The ODNI continues to comply with court orders from FOIA lawsuits but its compliance is in letter only. Declassifying documents the way the ODNI does isn't helping further the debate on privacy vs. security or making the government's arguments for surveillance dragnets any more clear.

First up, the FBI's report on the maintenance and use of [REDACTED] databases. About the only thing surviving the redaction knife is a few footnotes which indicate this document has something to do with the pen register/trap and trace bastardization that turned a targeted surveillance technique with a low legal barrier to entry into a broad, untargeted dragnet with a low legal barrier to entry. (PDF link.)

But this is how most of the "declassified" report looks.

Right-margin barely large enough to contain the exemptions.

The unexpected use of black in a sea of white redactions.

All of the above is in addition to several pages that were withheld in their entirety, without even being given the chance to be redacted into uselessness.

What remains is mainly footnotes. One supplies a description of PR/TT surveillance pulled directly from the US code. One references CALEA (Communications Assistance for Law Enforcement Act). One footnote points out that the FBI is not allowed to "affirmatively search" content gathered incidentally by this program, unless, of course, (truck-sized loophole ahead) it needs to "prevent harm to national security."

In total, the document is of zero value to anyone anywhere. No information was freed, nor will it be -- not if intelligence officials have the final say for redactions. The redactions can be challenged, but that's in EPIC's hands.

The second document, a declaration in support of the PR/TT program by CIA director George Tenet, contains more readable info… but just barely. There's a lot of redactions in here as well but the main struggle is reading the remaining text which looks like it was rolled off a myopic, 75-year-old mimeograph. (PDF link.)

Most of Tenet's declaration revolves around threats the CIA was tracking, none of which are allowed past the censor, despite it being a decade later. The name Al-Qaeda appears every so often, and there's hints of a discussion revolving around surveillance tactics and government actions related to the 9/11 attacks, but most of this information is withheld as well.

Interestingly, Tenet notes that the CIA (and other agencies) have picked up signals that signal a "US strike" in the "next four months," possibly in conjunction with the 2004 elections. It also cautions that being too effective may be accelerating terrorists' attack plans, with detainments and other factors possibly causing terrorism leaders to believe their operations are compromised.

Tenet declares all the redacted surveillance programs to have been essential in disrupting terrorists' plans and/or possibly pushing attack timetables forward, noting that the PR/TT has been invaluable in lots of things that are completely redacted. In conclusion, please give the NSA/FBI PR/TT dragnet privileges.

So much for transparency. Even a discontinued surveillance program is subject to page after page of complete redaction, including documents discussing threats over a decade old whose attacks and plans were either thwarted or never came to fruition. The word "declassify" generally is taken to mean a release of information previously withheld, but in the ODNI's hands, all it means is the release of as little as possible.

Permalink | Comments | Email This Story
]]>also-jabs-public-in-eyes-with-godawful-scanshttps://www.techdirt.com/comment_rss.php?sid=20140822/13134528295Wed, 6 Aug 2014 07:52:29 PDTSenators Slam White House For CIA Torture Report Redactions That Make It 'Incomprehensible'Mike Masnickhttps://www.techdirt.com/articles/20140805/15240828119/senators-slam-white-house-cia-torture-report-redactions-that-make-it-incomprehensible.shtml
https://www.techdirt.com/articles/20140805/15240828119/senators-slam-white-house-cia-torture-report-redactions-that-make-it-incomprehensible.shtmltaken aback by the amount of redacted information when they received back the black ink-drenched copy of the executive summary to the $40 million, 6,300 page "devastating" report on the CIA's torture program prepared by the Senate Intelligence Committee. In response, James Clapper shot back that the redactions were "minimal" and over 85% of the document was free from black ink (it's not clear if he was counting the margins as well...).

Of course, as Marcy Wheeler has pointed out, this is just about the executive summary of the report -- which was specifically written to be published. In other words, the really "secret" stuff is in the rest of the report, but the 408 page exec summary was written with public disclosure in mind -- meaning that the Senate Intelligence Committee staffers certainly wrote it with the expectation that it would need few, if any, redactions. So the fact that large chunks of it were redacted immediately set off some alarms.

“After further review of the redacted version of the executive summary, I have concluded the redactions eliminate or obscure key facts that support the report’s findings and conclusions. Until these redactions are addressed to the committee’s satisfaction, the report will not be made public.

“I am sending a letter today to the president laying out a series of changes to the redactions that we believe are necessary prior to public release. The White House and the intelligence community have committed to working through these changes in good faith. This process will take some time, and the report will not be released until I am satisfied that all redactions are appropriate.

“The bottom line is that the United States must never again make the mistakes documented in this report. I believe the best way to accomplish that is to make public our thorough documentary history of the CIA’s program. That is why I believe taking our time and getting it right is so important, and I will not rush this process.”

Senator Carl Levin then came out with a much more strongly wordedcondemnation of the redactions suggesting that they were clearly designed to hide embarrassing information, which is not a legitimate reason for redactions:

“The redactions that CIA has proposed to the Intelligence Committee’s report on CIA interrogations are totally unacceptable. Classification should be used to protect sources and methods or the disclosure of information which could compromise national security, not to avoid disclosure of improper acts or embarrassing information. But in reviewing the CIA-proposed redactions, I saw multiple instances where CIA proposes to redact information that has already been publicly disclosed in the Senate Armed Services Committee report on detainee abuse that was reviewed by the administration and authorized for release in 2009. The White House needs to take hold of this process and ensure that all information that should be declassified is declassified.”

Senator Mark Udall issued a statement in which he notes that the "strategic" redactions are used to distort the nature of what's in the report:

"While Director Clapper may be technically correct that the document has been 85 percent declassified, it is also true that strategically placed redactions can make a narrative incomprehensible and can certainly make it more difficult to understand the basis for the findings and conclusions reached in the report. I agree wholeheartedly that redactions are necessary to protect intelligence sources and methods, but the White House must work closely with this committee to reach this goal in a way that makes it possible for the public to understand what happened.

"I am committed to working with Chairman Feinstein to declassify the Senate Intelligence Committee's study to the fullest extent possible, correct the record on the CIA's brutal and ineffective detention and interrogation program, and ensure the CIA learns from its past mistakes. And in light of the importance of the work the Senate Intelligence Committee has undertaken, I believe that the chairman should take all necessary time to ensure that the redactions to the executive summary are appropriate — not merely made to cover up acts that could embarrass the agency.

"The CIA should not face its past with a redaction pen, and the White House must not allow it to do so."

All three of those Senators are well aware of what's in the report, and it appears they recognize that the black ink was being used not to protect national security or "sources and methods" but rather to hide or distort the facts of the CIA's torture program.

Permalink | Comments | Email This Story
]]>just-release-ithttps://www.techdirt.com/comment_rss.php?sid=20140805/15240828119Thu, 24 Jul 2014 07:43:53 PDTHow Serious Is James Clapper About Cybersecurity When His Office Can't Even Get Its SSL Certificate Right?Mike Masnickhttps://www.techdirt.com/articles/20140723/17544627985/how-serious-is-james-clapper-about-cybersecurity-when-his-office-cant-even-get-its-ssl-certificate-right.shtml
https://www.techdirt.com/articles/20140723/17544627985/how-serious-is-james-clapper-about-cybersecurity-when-his-office-cant-even-get-its-ssl-certificate-right.shtmlisn't even valid:

In response, Soghoian joked: "[ODNI], I'll make you a deal: You fix your website's broken encryption cert, and I'll start to take your cyber fearmongering seriously."

Permalink | Comments | Email This Story
]]>just-askinghttps://www.techdirt.com/comment_rss.php?sid=20140723/17544627985Mon, 21 Jul 2014 15:38:46 PDTCourt Rules Against EFF In DOJ FOIA Lawsuit... But Mainly Because ODNI Already Declassified Most Of ItMike Masnickhttps://www.techdirt.com/articles/20140719/07224427937/court-rules-against-eff-doj-foia-lawsuit-mainly-because-odni-already-declassified-most-it.shtml
https://www.techdirt.com/articles/20140719/07224427937/court-rules-against-eff-doj-foia-lawsuit-mainly-because-odni-already-declassified-most-it.shtmljoked about how James Clapper and the Office of the Director of National Intelligence (ODNI) like to claim that the various documents they've been declassifying and releasing in the post-Snowden era are decisions they've made out of the goodness of their transparency-loving hearts, when the reality is that much of it is in response to FOIA lawsuits from the EFF. When it comes to Section 702 of the FISA Amendments Act, the part of the law that covers PRISM and (more importantly) the direct "upstream" tapping of the internet backbone via companies like AT&T, EFF had asked for a variety of documents pertaining to how the program was run. After ODNI did everything possible to refuse to provide such documents in any meaningful way, EFF sued.

Following the Snowden revelations, and the sudden "we love transparency*" (*not really) attitude of the ODNI, it started re-reviewing the original redactions and (look at that!) suddenly realized that it didn't actually need to have wasted so much black ink on the originals. EFF continued to push back on certain redactions, and ODNI magically discovered even more wasted black ink. Eventually, huge portions of the various documents that had previously been withheld were revealed. EFF kept pushing, and asked the court to review some of the remaining redactions, just to make sure that ODNI wasn't hiding anything solely out of embarrassment, rather than for legitimate national security purposes. The court got to secretly review the unredacted document, asked some detailed questions of the DOJ, leading to even more redactions falling by the wayside. So, now, finally, after all of that, the judge has basically said that all of the remaining redactions are legitimate, and thus effectively rules "against" the EFF.

However, this is a pretty clear victory for the EFF, considering that during the course of the case it was able to remove many of the original redactions. Of course, this is still problematic, because it highlights how many of those original redactions were clearly improper, and it took this long and convoluted process (and Ed Snowden) before ODNI was willing to reveal these documents concerning a rather key program in how the NSA conducts surveillance.

Permalink | Comments | Email This Story
]]>progresshttps://www.techdirt.com/comment_rss.php?sid=20140719/07224427937Wed, 9 Jul 2014 14:23:59 PDTJames Clapper Issues Non-Denial Denial Of Greenwald's Story About Surveillance Of Muslim-AmericansMike Masnickhttps://www.techdirt.com/articles/20140709/06462427821/james-clapper-issues-non-denial-denial-greenwalds-story-about-surveillance-muslim-americans.shtml
https://www.techdirt.com/articles/20140709/06462427821/james-clapper-issues-non-denial-denial-greenwalds-story-about-surveillance-muslim-americans.shtmlspying on prominent Muslim American politicians, lawyers and civil rights activists. If you follow this stuff closely, you may have heard that Greenwald was originally supposed to publish that story last week, but held off at the last minute due to some "new information" from the government. This resulted in some silly and ill-informed conspiracy theories, but in the article Greenwald explains what actually happened:

The Justice Department did not respond to repeated requests for comment on this story, or for clarification about why the five men’s email addresses appear on the list. But in the weeks before the story was published, The Intercept learned that officials from the department were reaching out to Muslim-American leaders across the country to warn them that the piece would contain errors and misrepresentations, even though it had not yet been written.

Prior to publication, current and former government officials who knew about the story in advance also told another news outlet that no FISA warrant had been obtained against Awad during the period cited. When The Intercept delayed publication to investigate further, the NSA and the Office of the Director of National Intelligence refused to confirm or deny the claim, or to address why any of the men’s names appear on the FISA spreadsheet. Prior to 2008, however, FISA required only an authorization from the attorney general—not a court warrant—for surveillance against Americans located overseas. Awad frequently travelled to the Middle East during the timeframe of his surveillance.

The fact that it was out warning people that the story was inaccurate before anything had even been written is... quite telling. Also, the fact that it only seemed to focus on the lack of a FISA warrant (and against one individual) seems like the standard form of the intelligence community choosing their words especially carefully to say one thing, while implying something else entirely. Now that the report has actually come out, the Office of the Director of National Intelligence (ODNI) has issued a statement that is more of the same. You will note, for instance, that it does not deny spying on the five named individuals -- only that it doesn't spy on people because of their political, religious or activist views:

It is entirely false that U.S. intelligence agencies conduct electronic surveillance of political, religious or activist figures solely because they disagree with public policies or criticize the government, or for exercising constitutional rights.

Unlike some other nations, the United States does not monitor anyone’s communications in order to suppress criticism or to put people at a disadvantage based on their ethnicity, race, gender, sexual orientation or religion.

Our intelligence agencies help protect America by collecting communications when they have a legitimate foreign intelligence or counterintelligence purpose.

Again, note the specific denial they're making. They're not denying they spied on these five individuals. They're claiming that if they spied on them, it wasn't because of their religion -- though the evidence presented in the Intercept article certainly rules out many other explanations. And, remember, it was just a week ago that it was revealed that the NSA, does, in fact, consider people interested in Tor or open source privacy to be extremists. So, while it may be technically true that these individuals weren't targeted because of their religion, it does seem fairly clear that the intelligence community has fairly low standards for what it takes to convince themselves that someone may be a threat.

Furthermore, the statement admits that there are cases where it spies on people without approval from the FISA Court, but doesn't say what those examples are beyond "in an emergency." That may imply the only cases are in an emergency, but that's not what the statement actually says:

With limited exceptions (for example, in an emergency), our intelligence agencies must have a court order from the Foreign Intelligence Surveillance Court to target any U.S. citizen or lawful permanent resident for electronic surveillance.

These court orders are issued by an independent federal judge only if probable cause, based on specific facts, are established that the person is an agent of a foreign power, a terrorist, a spy, or someone who takes orders from a foreign power.

And, again, as the Intercept report itself notes, prior to 2008, there were different standards in place for people traveling overseas (even Americans) which could explain how some of these individuals were targeted.

The ODNI statement more or less concludes by suggesting that the five people named may have been agents of foreign powers, which is quite a claim:

No U.S. person can be the subject of surveillance based solely on First Amendment activities, such as staging public rallies, organizing campaigns, writing critical essays, or expressing personal beliefs.

On the other hand, a person who the court finds is an agent of a foreign power under this rigorous standard is not exempted just because of his or her occupation.

It's a neat little out. Accused of spying on five Americans who pretty clearly do not appear to be agents of foreign powers, just hint strongly that they really are agents of foreign powers. It's back to the good old days of McCarthyism.

Permalink | Comments | Email This Story
]]>want-to-try-that-again?https://www.techdirt.com/comment_rss.php?sid=20140709/06462427821Wed, 2 Jul 2014 15:11:00 PDTEFF Sues NSA Again Over Failure To Release Procedures For Dealing With Zero DaysMike Masnickhttps://www.techdirt.com/articles/20140701/17212727750/eff-sues-nsa-again-over-failure-to-release-procedures-dealing-with-zero-days.shtml
https://www.techdirt.com/articles/20140701/17212727750/eff-sues-nsa-again-over-failure-to-release-procedures-dealing-with-zero-days.shtmllawsuit filed by the EFF against the NSA. As you may recall, back in April there was some discussion about how the NSA deals with zero day exploits it discovers, and (specifically) whether or not it reveals them to relevant parties or keeps them for its own ability to exploit them. The NY Times revealed that President Obama had put in place an official rule that said the NSA should have a "bias" towards revealing the flaws, but left open a gaping loophole in saying the NSA could exploit those zero days for "a clear national security or law enforcement need." That's a pretty big loophole -- especially when you consider how law enforcement has been abusing every opportunity of late.

EFF filed a FOIA request to find out about the NSA's process for determining whether to exploit or reveal a zero day... and hasn't received a response, despite a promise by the government to "expedite" the request. Hence: the new lawsuit.

"This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community's toolset: security vulnerabilities," EFF Legal Fellow Andrew Crocker said. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."

Over the last year, U.S. intelligence-gathering techniques have come under great public scrutiny. One controversial element has been how agencies such as the NSA have undermined encryption protocols and used zero days. While an intelligence agency may use a zero day it has discovered or purchased to infiltrate targeted computers or devices, disclosing its existence may result in a patch that will help defend the public against other online adversaries, including identity thieves and foreign governments that may also be aware of the zero day.

"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," Global Policy Analyst Eva Galperin said.

These days, it really does seem that the only way to get the government to cough up these kinds of documents is to file a lawsuit, which really defeats the purpose of the whole FOIA process. Perhaps the government should just admit it's a charade and let people go straight to the lawsuit filing process instead.

Permalink | Comments | Email This Story
]]>eff-may-need-a-whole-floor-devoted-to-nsa-lawsuitshttps://www.techdirt.com/comment_rss.php?sid=20140701/17212727750Mon, 30 Jun 2014 20:39:00 PDTNew FISC Memorandum Says Bulk Metadata Program Still Good To Go Until Congress Or Supreme Court Says OtherwiseTim Cushinghttps://www.techdirt.com/articles/20140628/17081227716/new-fisc-memorandum-says-bulk-metadata-program-still-good-to-go-until-congress-supreme-court-says-otherwise.shtml
https://www.techdirt.com/articles/20140628/17081227716/new-fisc-memorandum-says-bulk-metadata-program-still-good-to-go-until-congress-supreme-court-says-otherwise.shtmlFirst Ever Transparency Report, this tentative and forced step into transparency was a step forward for No Such Agency, even if each document release has been accompanied by the unmistakable sound of gritting teeth and a nearly universal refusal to acknowledge that most of the "openness" had been compelled by court orders following FOIA lawsuits.

Also noted was the fact that the new transparency was short a few documents, namely the March renewal order for the bulk phone metadata collection. Lo and behold and under the cover of late Friday afternoon (to better be smuggled in as the nation punched its collective timeclock), the Office of the Director of National Intelligence released two orders: the March and June renewals of the bulk records collections.

There's nothing very notable about either of the two renewal orders, both of which say roughly the same thing and wear their fashionable black redaction marks on exactly the same words. What is notable is the memorandum opinion released with them, which details the events that have occurred in recent months that have affected both the collection and the minimization procedures the NSA follows.

In the past few months, two metadata-related lawsuits have resulted in court orders demanding preservation of evidence, some of which was due to age off as part of the normal minimization procedures. The court orders wreaked a bit of havoc in FISC judge Reggie Walton's court, forcing him to first order data to be destroyed (noting again that the minimization procedures were one of the few things that even allowed this bulk collection of American data to be legal) and finally, once the DOJ had stopped misleading him (and the cases' plaintiffs themselves), to halt the destruction of relevant (to the cases, not to counterterrorism) metadata.

Throughout it all, the DOJ performed a remarkable plate-spinning act, keeping all decisions aloft while it contemplated best-case scenarios. Unlike true plate-spinning acts, the DOJ really didn't care whether the plates continued spinning or crashed to the ground, as it's unlikely to ever allow this evidence to be used in court. (Indeed, it spent much of its plate-spinning time destroying data it was ordered to preserve.) Though the three involved courts had plenty to do to ensure the rights of non-NSA Americans weren't violated, the DOJ's main purpose was to shuttle paperwork back and forth until it could be safely revealed that the multi-billion dollar superspyplex was incapable of doing the very thing under discussion: preserving data past the expiration date. (This should have come as no surprise, considering the NSA had announced previously that it was incapable of searching its own email system. [And yet, it claims to have found only one email related to Snowden whistleblowing attempts.])

Also, during the past few months, two contradicting court opinions on the legality of the bulk record collections were released. The one that found it unconstitutional (DC district court judge Richard Leon) was stayed awaiting appeal, changing nothing in the NSA's plans to collect it all, but prompting some reflection from the FISA court. The other confirmed the status quo.

All the while, millions of gallons of prime (and confidential) desert water (acquired at budget rates) continued to flow into the NSA's new Utah spybox even as, ironically, fires broke out within the building itself. The security state is still alive and well… even if it seems to be pausing more frequently to catch its breath and favoring a limb or two.

But back to the order. During the disarray of the last few months, two bulk records orders were renewed. While the memorandum changes nothing, it does at least acknowledge the fact that the collection is under considerable public scrutiny, not to mention awaiting implementation of the administration's reforms. But it does point out that there are really only two entities that can bring a complete halt to this collection -- and so far, neither have made that move.

The unauthorized disclosure of the bulk telephony metadata collection more than a year ago led to many written and oral expressions of opinions about the legality of collecting telephony metadata. Congress is well aware that this Court has interpreted the provisions of 50 U.S.C. 1861 to permit this particular collection, and diverse views about the collection have been expressed by individual members of Congress. In recent months, Congress has contemplated a number of changes to the Foreign Intelligence Surveillance Act, a few of which would specifically prohibit this collection. Congress could enact statutory changes that would prohibit this collection going forward, but under the existing statutory framework, I find that the requested authority for the collection of bulk telephony metadata should be granted. Courts must follow the law as it stands until the Congress or the Supreme Court changes it.

The House stripped the USA Freedom Act of nearly all of its teeth before passage, which makes it a long shot for Congress to explicitly outlaw this collection any time soon. Various other reform measures, including an amendment that slammed one domestic surveillance backdoor shut, have fared better.

The issue may eventually end up in the Supreme Court (which has shot down two attempts already), but despite a recent victory for the Fourth Amendment, the court system's deference to "national security" arguments has generally resulted in wins for the government. Even if it does land in front of the justices, there's little to indicate that whatever case forces consideration of the issue will be the best scenario to "test" the issue, much less provide a solid platform for Fourth Amendment arguments. And even if the Supreme Court does agree bulk records collection violates citizens' rights, the government will swiftly act to ensure the decision has only a minimal effect on its collection efforts.

Finally, there's a small paragraph that indicates that the release of these two documents was, again, not the result of the ODNI's half-hearted embrace of openness.

In light of the public interest in this particular collection and the government's declassification of related materials, including substantial portions of Judge Eagan's August 29 Opinion, Judge McLaughlin's October 11 Memorandum, and Judge Collyer's March 20 Opinion and Order, I request pursuant to FISC Rule 62 that this Memorandum Opinion and Accompanying Primary Order also be published, and I direct such request to the Presiding Judge as required by the Rule.

The rule cited allows FISC judges to order the release of orders, opinions and decisions and is by no means a recent development. The rules date back to 2006, but it's only in the last year that we've seen anyone exercise this option. Does anyone out there think this would have occurred without "unauthorized disclosure?" Those looking to lock up Snowden for his leaks would do well to remember small details like this. Going through "proper channels" wouldn't have forced this level of transparency or prompted the secretive FISA court to start ordering declassifications on its own. It took a whole lot of pushing and the stripping away of layer after layer of secrecy and plausible deniability to achieve this.

Permalink | Comments | Email This Story
]]>we-still-have-the-greatest-enthusiasm-and-confidence-in-the-missionhttps://www.techdirt.com/comment_rss.php?sid=20140628/17081227716Fri, 27 Jun 2014 12:23:00 PDTTransparency Report From Office Of The Director Of National Intelligence Shows Government Issuing 50 NSLs Per DayTim Cushinghttps://www.techdirt.com/articles/20140627/10000227702/transparency-report-office-director-national-intelligence-shows-government-issuing-50-nsls-per-day.shtml
https://www.techdirt.com/articles/20140627/10000227702/transparency-report-office-director-national-intelligence-shows-government-issuing-50-nsls-per-day.shtml
In the begrudging spirit of forced openness, the Office of the Director of National Intelligence (James "Least Untruthful" Clapper, presiding) has released its First Annual Ever Transparency Report. So, what have our intelligence agencies been up to for the last calendar year? Well, a little of this and whole lot of that, all of it broken down into numbers that don't really provide that much transparency.

The figure that first stands out is related to the Section 702 program. As defined in intelspeak, the 702 program:

facilitates the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States, creating a new, more streamlined procedure to collect the communications of foreign terrorists.

Like other bulk surveillance programs, Section 702 supposedly targets non-US persons but frequently "incidentally" collects content from US persons and other non-targets. This data on Americans is then searchable via backdoor searches. Much of this information is collected directly off the "Internet backbone" as communications flow through NSA collection points. The authority it operates under is incredibly vague and almost completely without adequate oversight. This last sentence explains the following numbers.

In contrast with sections 703, 704 and pen register requests -- where the number of targets roughly corresponds with the number of orders -- the 702 program operates under one order… which nets over 89,000 targets. Note -- and this is important -- that the report only says how many "targets" are "affected." It does not say how many other people's communications are "incidentally" collected along the away and made open to those backdoor searches. And, rest assured, that number is likely much larger than 89,000 -- especially since we already know that any communication "about" any target gets swept up, but that won't count towards that number. And, as discussed below, the definition of "target" can often mean something entirely different than what you think it means. This broad collection, one that harvests content rather than (supposedly harmless) metadata, is one of the NSA's favorite tools and explains its willingness to discuss alterations to the Section 215 bulk metadata program, but not to change the 702 program at all. (Not that anything much actually happened to the 215 program, even after all of the discussion.)

What's more interesting, though, is the long discussion about the incredibly high number of National Security Letters issued in 2013.

The FBI (along with other agencies) is issuing NSLs at the rate of 53 per day. The ODNI's long explanation attempts to portray this huge number as most certainly not evidence of NSL abuse.

In addition to those figures, today we are reporting (1) the total number of NSLs issued for all persons, and (2) the total number of requests for information contained within those NSLs. For example, one NSL seeking subscriber information from one provider may identify three e-mail addresses, all of which are relevant to the same pending investigation and each is considered a “request.”

So, the FBI (and unnamed other agencies) must issue a new NSL (the "must" is up for discussion) for each account it wishes to collect from, whether it's an email address or some other online account. And if multiple names are used for one target, then new NSLs must be issued to claim that information. And so on, until the government is issuing nearly 20,000 per year.

The ODNI attempts to explain how difficult it is to narrow down how many people are being targeted by NSLs.

We are reporting the annual number of requests rather than “targets” for multiple reasons. First, the FBI’s systems are configured to comply with Congressional reporting requirements, which do not require the FBI to track the number of individuals or organizations that are the subject of an NSL.

Even if the FBI systems were configured differently, it would still be difficult to identify the number of specific individuals or organizations that are the subjects of NSLs. One reason for this is that the subscriber information returned to the FBI in response to an NSL may identify, for example, one subscriber for three accounts or it may identify different subscribers for each account…

We also note that the actual number of individuals or organizations that are the subject of an NSL is different than the number of NSL requests. The FBI often issues NSLs under different legal authorities, e.g., 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709, for the same individual or organization.

All well and good, but the DOJ's transparency report (linked to by the ODNI) breaks that number down just fine. (For whatever reason, the ODNI Tumblr post links to a report for 2012. The PDF of the ODNI's report contains a link to the 2013 version. Both are embedded below.)

From the 2013 letter:

In 2013, the FBI made 14,219 NSL requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 5,334 different United States persons.

From the 2012 letter:

In 2012 the FBI made 15,229 NSL requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 6,223 different United States persons.

It appears the FBI has the power to narrow down the number of persons targeted by its NSLs, although something must have happened in 2013 that made it append the following footnote to its FY2013 letter.

In the course of compiling its National Security Letter statistics, the FBI may over-report the number of United States persons about whom it obtained information using National Security Letters. For example, NSLs that are issued concerning the same US. person and that include different spellings of the US. person's name would be counted as separate U.S. persons, and NSLs issued under two different types of NSL authorities concerning the same US. person would be counted as two US. persons. This statement also applies to previously reported annual US. person numbers.

The DOJ's transparency letters again point out that the FISA court is basically approving everything set in front of it. Only one order has been withdrawn in the last two years and only 74 of 3,511 orders presented for "electronic surveillance" and/or "physical searches" were modified. The Section 215 collection requests were sent back for modification more often (roughly 2/3rds of the time) but ultimately, not a single one of those requests were denied.

So, there's more transparency than we're used to, but the 702 program still remains the best kept open secret. One order accesses thousands of "targets," and the ODNI hasn't exactly been forthcoming with additional details. Another explanatory note included does, however, point out inadvertently how useless the word "target" is when deployed by the NSA.

Within the Intelligence Community, the term “target” has multiple meanings. For example, “target” could be an individual person, a group, or an organization composed of multiple individuals or a foreign power that possesses or is likely to communicate foreign intelligence information that the U.S. government is authorized to acquire by the above-referenced laws.

Section 702's "explanation" takes it even farther:

In addition to the explanation of target above, in the context of Section 702 the term “target” is generally used to refer to the act of intentionally directing intelligence collection at a particular person, a group, or organization.

Except that it doesn’t admit that, at least in the past, sometimes target means “the switch we know lots of al Qaeda calls to use.” Meaning the term “target” is a misnomer even within the context they lay out.

There's still nothing "targeted" about the NSA's supposedly targeted collections. The collection comes first and the targeting comes later -- sometimes using pre-determined selectors and other times by splashing around in the data until something presents itself. What the NSA means by "target" is nothing more than a term deployed to gain access to massive amounts of communications and data, all under the theory that it's somehow "relevant" to its counter-terrorism work.

The new report is a step towards transparency, but it's a very calculated move that throws out a few vague numbers while withholding anything that could put them into context. In this sense, it follows the administration's idea of transparency: nothing that goes deeper than the surface.

Permalink | Comments | Email This Story
]]>section-702-still-most-efficient-use-of-paperworkhttps://www.techdirt.com/comment_rss.php?sid=20140627/10000227702Fri, 20 Jun 2014 15:01:27 PDTSenators To Obama: Hey You Can End Bulk Phone Data Collection Today; Obama: Ha, Ha, Ha, Nope!Mike Masnickhttps://www.techdirt.com/articles/20140620/14522227639/senators-to-obama-hey-you-can-end-bulk-phone-data-collection-today-obama-ha-ha-ha-nope.shtml
https://www.techdirt.com/articles/20140620/14522227639/senators-to-obama-hey-you-can-end-bulk-phone-data-collection-today-obama-ha-ha-ha-nope.shtmlreminding him that he can live up to his promise to end bulk phone record collection today by simply having the DOJ not seek to renew the court order from the FISA Court getting the phone operators to hand over that data.

We welcome your proposal, announced on March 27, 2014, to end the bulk collection of Americans'
phone records under Section 215 of the USA PATRIOT Act. We believe as you do that the
government can protect national security by collecting the phone records of individuals connected to
terrorism, instead of collecting the records of millions of law-abiding Americans. We also believe that
you have the authority to implement your proposal now, rather than continuing to reauthorize the existing
bulk collection program in 90-day increments.

And, of course, just hours later, James Clapper responded, not to the letter, but in a Tumblr post, which again mentions how President Obama promised to end such bulk collection, but then saying that the administration is still seeking the next 90 day extension to keep collecting those phone records. The post even calls out the passage of the totally watered-down USA Freedom Act in the House as "prohibiting" such bulk collection (even though it doesn't really do that, since it allows broad selectors that give the NSA effectively the same power). However...

Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program, as modified by the changes the President announced earlier this year.

Consistent with prior declassification decisions, in light of the significant and continuing public interest in the telephony metadata collection program, the Director of National Intelligence, James Clapper, has declassified the fact that the government’s application to renew the program was approved yesterday by the FISC. The order issued yesterday expires on September 12, 2014.

Wait. Given what importance of maintaining the capabilities? So far, every analysis of the program has shown that it wasn't important at all. How could anyone in the administration still claim with a straight face that the Section 215 bulk phone records collection is "important" when everyone who's seen the evidence agrees that the program has been next to useless in stopping terrorism.

Either way, even though President Obama has already said that he wants the program ended, and he could do so, he's still keeping it going.

Permalink | Comments | Email This Story
]]>well,-that-was-an-ideahttps://www.techdirt.com/comment_rss.php?sid=20140620/14522227639Thu, 29 May 2014 12:56:37 PDTJames Clapper: Yes, Snowden Emailed NSA Lawyer, But Not About His ConcernsMike Masnickhttps://www.techdirt.com/articles/20140529/12034327393/james-clapper-yes-snowden-emailed-nsa-lawyer-not-about-his-concerns.shtml
https://www.techdirt.com/articles/20140529/12034327393/james-clapper-yes-snowden-emailed-nsa-lawyer-not-about-his-concerns.shtmlhad confirmed that Snowden had raised some of his concerns to people within the intelligence community. In response, James Clapper's office (the Office of the Director of National Intelligence) has nowreleased what they claim is the only email Snowden sent to the NSA's legal team. The email was sent just about a month before Snowden went to Hong Kong, and, as ODNI notes, does not address the issues related to Snowden's whistleblowing concerns:

Furthermore, the ODNI notes:

There are numerous avenues that Mr. Snowden could have used to raise other concerns or whistleblower allegations. We have searched for additional indications of outreach from him in those areas and to date have not discovered any engagements related to his claims.

Of course, it's worth noting that for all the talk of "proper channels" it's actually not so easy. In fact, the person that he would have gone to has already noted he would have told Snowden to shut up, and was completely insulting about Snowden. So it's not as if there really were legitimate channels. And Snowden already knew that going through the full whistleblowing process would get him labeled as a troublemaker.

That said, it does sound as though Snowden may have slightly exaggerated his claims concerning his conversation with the NSA's lawyers.

Permalink | Comments | Email This Story
]]>so-there's-that...https://www.techdirt.com/comment_rss.php?sid=20140529/12034327393Thu, 15 May 2014 15:01:01 PDTYet Again, A Freedom Of Information Act Request Results In LESS Information Being FreedTim Cushinghttps://www.techdirt.com/articles/20140428/14394027053/yet-again-freedom-information-act-request-results-less-information-being-freed.shtml
https://www.techdirt.com/articles/20140428/14394027053/yet-again-freedom-information-act-request-results-less-information-being-freed.shtml
Intelligence agencies seem to make some very un-intelligent decisions. Just last month, James Clapper told NSA employees they were no longer free to talk to the media in an extremely misguided attempt to head off future leaks.

Last month, ODNI issued a heavily redacted version of its Intelligence Community Directive 304 on “Human Intelligence.” The redacted document was produced in response to a Freedom of Information Act request from Robert Sesek, and posted on ScribD.

The new redactions come as a surprise because most of the censored text had already been published by ODNI itself in an earlier iteration of the same unclassified Directive from 2008. That document has since been removed from the ODNI website but it is preserved on the FAS website here.

So, why would it do this? Steven Aftergood at FAS Secrecy News suspects it might be the ODNI caving to the CIA's desire to keep everything a secret.

A comparison of the redacted and unredacted versions shows that ODNI is now seeking to withhold the fact that the Director of the Central Intelligence Agency functions as the National HUMINT Manager, among other things.

The CIA is only rivaled by the New York Police Department in terms of unresponsiveness to FOIA requests. That it would demand information related to its "super-secret" HUMINT (human intelligence) work be redacted isn't a surprise. That it would have no idea that this information is out in the open is a bit more surprising. But considering the government's extremely scattershot approach to overclassification, it is not entirely unexpected.

The entire document is marked as "Unclassified," which means there's very little reason to have any of this redacted, especially considering its previous official, unredacted release. The CIA isn't the only agency to have its information withheld, although that is probably more a product of what the redacted statement says, rather than an indication of the other agencies' desire for secrecy. The sections for both the FBI and the Defense Department have this sentence blacked out.

Apparently, the ODNI would prefer that no one know (enemies or citizens) these agencies secure information through "clandestine means," which is something everyone expects the CIA to be doing, if not the FBI.

The exemption stated [b(3)] is bit strange itself. It's supposedly limited to information that is subject to other statutes prohibiting the information's disclosure. Whatever that unnamed statute is, it must have gone into effect at some point between 2009 (the latest date on the unredacted version) and last month. Or, more likely, the exemption was just a handy excuse for blotting out the CIA's involvement in this particular form of intelligence gathering, one the ODNI won't have to explain until the end of the year when it (like all government agencies) must list the statutes used to justify b(3) redactions.

This is just another example of the greatest irony of the FOIA Act. The ODNI publishes a completely unredacted version on its own site but when a citizen asks for a copy, it redacts half the document. A Freedom of Information Act response creates an information deficit. That makes sense.

Permalink | Comments | Email This Story
]]>the-ODNI-will-be-around-shortly-to-redact-your-brainhttps://www.techdirt.com/comment_rss.php?sid=20140428/14394027053Mon, 12 May 2014 16:02:42 PDTHow White House's 'No Commenting' On Media Leaks Policy Makes Life Difficult For ProfessorsMike Masnickhttps://www.techdirt.com/articles/20140509/17305127185/how-white-houses-no-commenting-media-leaks-policy-makes-life-difficult-professors.shtml
https://www.techdirt.com/articles/20140509/17305127185/how-white-houses-no-commenting-media-leaks-policy-makes-life-difficult-professors.shtmlor former intelligence community officials from even discussing media reports of leaked documents. The whole thing, coming from James Clapper, seemed bizarre (and likely unconstitutional). It's also just stupid. Denying people the ability to talk about information that is publicly being discussed serves no good purpose. And the impact is being felt in a variety of places. Famed crypto expert Matt Blaze is talking about how he's now in a tough spot, because if he assigns students to read content concerning media leaks, he puts intelligence community students in an "untenable position." And that's ridiculous. Denying the students the ability to even discuss very relevant, timely information that everyone else is discussing seems like a dangerous restriction -- especially on people who you should want to be involved in those discussions.

Permalink | Comments | Email This Story
]]>making-life-difficulthttps://www.techdirt.com/comment_rss.php?sid=20140509/17305127185Tue, 1 Apr 2014 15:03:00 PDTLatest (Official) Document Release Takes A Look At The NSA's Bulk Collection Of Financial RecordsTim Cushinghttps://www.techdirt.com/articles/20140331/14564326755/latest-official-document-release-takes-look-nsas-bulk-collection-financial-records.shtml
https://www.techdirt.com/articles/20140331/14564326755/latest-official-document-release-takes-look-nsas-bulk-collection-financial-records.shtml
Three more documents have been pried from the cold, decidedly-not-dead hands of the Office of the Director of National Intelligence. Rather than tell us how INTERESTED the intelligence "community" is in this dialogue it's been forced into by leaked documents, the ODNI unceremoniously dumped these on the national desktop before skipping town for the weekend. At least this time, it had the decency to namecheck the EFF's FOIA lawsuit, albeit over at Twitter rather than at the official ODNI blog.

There are three documents this time around, one of which is an update of Judge Walton's corrective measures put in place after discovering the agency's phone metadata program had not been run correctly since its institution. It's a good read but most of it's been covered here before.

The most notable aspect is a discussion of the "alert list," the numbers the NSA used to search incoming phone records. As of 2006, the NSA had 3,980 phone numbers on the list, all of which were deemed to meet the "RAS (reasonable articulable suspicion) standard." This was what was represented to the court. But it was discovered that many more than that had been used for queries without RAS or court approval.

Unfortunately, the universe of compliance matters that have arisen under the Court's Orders for this business records collection extends beyond the events described above. On October 17, 2008, the govemment reported to the FISC that, after the FISC authorized the NSA to increase the number of authorized to access the BR metadata to 85, the NSA trained those newly authorized on Court-ordered procedures. Despite this training, however, the NSA subsequently determined that 31 NSA analysts had queried the BR metadata during a five day period in April 2008 "without being aware they were doing so." (emphasis added [by Judge Walton]). As a result, the NSA used 2,373 foreign telephone identifiers to query the BR metadata without first determining that the reasonable articulable suspicion standard had been satisfied.

That's five days worth of searching records with 2,373 numbers that didn't meet the FISC court's standards or the NSA's own stated minimization procedures, with a possible three "hops" worth of data added. As the court has pointed out before, bypassing these standards makes the harvesting of this data illegal.

Regardless of what factors contributed to making these misrepresentations, the Court finds that the government's failure to ensure that responsible officials adequately understood the NSA's alert list process, and to accurately report its implementation to the Court, has prevented, for more than two years, both the government and the FISC from taking steps to remedy daily violations of the minimization procedures set forth in FISC orders and designed to protect [redacted] call detail records pertaining to telephone communications of U.S. persons located within the United States who are not the subject of any FBI investigation and whose call detail information could not otherwise have been legally captured in bulk.

Illegal capture of data that went unhindered for two years, despite daily violations. Who's looking out for Americans? Well, supposedly it's the good people at the NSA, along with its various levels of oversight. But if the oversight only gets its "facts" from the NSA, it's hardly in any place to provide oversight.

Also included in this document dump is another FISA court order limiting the NSA to court-approved searches (with emergency exceptions). Again, this is a direct result of the NSA's continued failure to abide by the limitations of the law and its own internal policies.

The most interesting document is a supplemental order from the FISA court, which serves to remind everyone that Section 215 covers a whole lot more than just telephone metadata.

The RFPA generally provides that "no Government authority" may obtain "financial records" from a "financial institution" unless one of several exceptions applies. fig 12 U.S.C. 3402; see also id, 3403. Under one of those exceptions, the FBI may, without prior judicial review, compel a financial institution to produce financial records, provided that a designated FBI official has certified that the records are relevant to an authorized foreign intelligence investigation. 50 U.S.C. 34l4(a)(5)(A). Pursuant to Section 1861, the government may request, and this Court may grant, "an order requiring the production of Q1 tangible things (including books, records, papers, documents, and other items)" 50 U.S.C. 1861(a)(1) (emphasis added). Section 1861 requires the government to provide the Court with a "statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant" to a foreign intelligence investigation, id, 1861(b)(2)(A), and the Court to determine that the application satisfies this requirement, 5; id 1861(c)(l), before records are ordered to be produced.

Although the RFPA contains no provision explicitly allowing the production of financial records pursuant to a Section 1861 order, the Court agrees with the government that it would have been anomalous for Congress to have deemed the FBI's application of a "relevance" standard, without prior judicial review, sufficient to obtain records subject to the RFPA, but to have deemed this Court's application of a closely similar "relevance" standard insufficient for the same purpose.

In addition, the number Section 215 orders started going up drastically in 2010, along with the number of orders the FISC modified to require minimization procedures.

Nevertheless, the reports show us two new things.

I’ve suggested that 176 modified applications may suggest the government has as many as 44 bulk collection programs, which would be renewed every three months (or, alternately, a whole lot more specific bulk collection orders).

That is, this rise in what are almost certainly bulk collection orders came around the same time as FISC “Bates-stamped” the collection of financial records with Section 215.

Phone metadata has been the issue on everyone's minds these past few weeks, but the reality is that the NSA is collecting several other bulk records under the same authority. And these are all obtained under the pretense that they're somehow "relevant" to a terrorist-related investigation, even though they're gathered in bulk and any minimization procedures can only be speculated on at this point in time.

Even "just metadata" from phone records can paint a pretty accurate picture about someone "incidentally" caught up in the NSA's dragnet. Add another few dozen forms of "metadata" and it's pretty much indistinguishable from giving the agency unfettered access to the everyday lives of millions of people.

Permalink | Comments | Email This Story
]]>phone-records-still-hogging-the-spotlight,-thoughhttps://www.techdirt.com/comment_rss.php?sid=20140331/14564326755Tue, 1 Apr 2014 12:00:44 PDT60 Days After Being Asked, James Clapper Finally Answers Ron Wyden's Question About Collecting US Citizens' CommunicationsTim Cushinghttps://www.techdirt.com/articles/20140401/10571026764/60-days-after-being-asked-james-clapper-finally-answers-ron-wydens-question-about-collecting-us-citizens-communications.shtml
https://www.techdirt.com/articles/20140401/10571026764/60-days-after-being-asked-james-clapper-finally-answers-ron-wydens-question-about-collecting-us-citizens-communications.shtml
The game of 20 questions (National Security Edition) has finally paid off, weeks after the question was asked. Ron Wyden, one of the few legislators willing to pin down (or at least attempt to -- the NATSEC reps are a slippery bunch) exactly what the NSA is up to, has received a response to one his pointed questions. (Wyden's ability to ask precisely the right question has pretty much turned any intel official's answer along the lines of "we can't discuss this publicly for national security reasons" into a de facto "yes.")

[I]n a letter to Senator Ron Wyden, an Oregon Democrat on the intelligence committee, the director of national intelligence, James Clapper, has confirmed for the first time this backdoor had been used in practice to search for data related to “US persons”.

“There have been queries, using US person identifiers, of communications lawfully acquired to obtain foreign intelligence targeting non-US persons reasonably believed to be located outside the United States,” Clapper wrote in the letter, which has been obtained by the Guardian.

“These queries were performed pursuant to minimization procedures approved by the Fisa court and consistent with the statute and the fourth amendment.”

So, there's the admission Wyden was seeking back on January 29th, but the story goes back much further than that. This is something that has been denied and obfuscated since the leaks began back in June of last year. The NSA (along with other agencies most likely) can grab American's communications without a warrant. It claims this is all legit because the agency "reasonably believes" these communications serve its foreign intelligence directive.

Clapper disingenuously points out that this was discussed during the debate over the renewal of Section 702 late last year.

“As you know, when Congress reauthorized Section 702, the proposal to restrict such queries was specifically raised and ultimately not adopted,” Clapper wrote.

Of course, no one had access to this information as Clapper and others had yet to officially acknowledge this backdoor.

It has taken just 9 months for Clapper to admit that, contrary to months of denials, the NSA (and FBI, which he doesn’t confirm but which the Report makes clear, as well as the CIA) can get the content of Americans’ communications without a warrant.

But Clapper’s admission that this fact was declassified in August should disqualify Vice Admiral Mike Rogers from confirmation as CyberComm head (I believe he started serving as DIRNSA head, which doesn’t require confirmation, yesterday). Because it means Rogers refused to answer a question the response to which was already declassified.

Again, the NSA, for all intents and purposes, has no oversight. Ron Wyden serves on the Senate Intelligence Committee and he's one of the few in this position who will actually attempt to extract info from closed-lipped intelligence officials. Despite his efforts, it took two months for him to obtain an answer that was declassified in August 2013. That's how the system actually works, but those defending the obfuscation artists charged with national security keep foisting their utopian dreamscape of checks and balances on the agency's many critics.